I use Net.Data for dynamic pages, and as a security precaution I have my static pages in one source file and the macros in a different fiel. The permissions are set so that QTMHHTP1 can see the macros but not the static pages and QTMHHTTP can not see the macros. I tried puting a / at the end of an URL and I get a "File not found" message, instead of the source code. The page is there, but the default user has *EXCLUDE __________________________________________________________________________________________________ "Hall, Philip" wrote: > FYI.... > > > -----Original Message----- > > From: 'ken'@FTU > > Sent: Thursday, November 08, 2001 8:42 AM > > To: bugtraq > > Subject: IBM AS/400 HTTP Server '/' attack > > > > > > IBM's HTTP Server on the AS/400 platform is vulnerable to an attack > > that will show the source code of the page -- such as an .html or .jsp > > page -- by attaching an '/' to the end of a URL. > > > > Compare these two URL's: > > > > http://www.foo.com/getsource.jsp > > > > http://www.foo.com/getsource.jsp/ > > > > The later URL will deliver the jsp source to the browser. > > > > I reported this problem to IBM approximately 9 or 10 months ago. > > > > I was told it was a bug but not a security vulnerability. When I > > explained that Microsoft had a similar bug (asp dot bug) they told me > > that "they did not share the same source code base." I replied to this > > ludicrous reply: "Isn't it possible that since you developed servers > > that function in a similar manner you have the same logical bug?" To > > this they were speechless. I imagine that a .jsp page could > > contain user > > names and passwords if they are accessing databases, > > especially if these > > databases are on the network. > > > > By the way, the IBM HTTP server was derived from an early version of > > Apache. I have not seen Apache servers vulnerable to this bug. > > > > Since I reported this "non-security" bug so long ago I hope > > it is fixed > > through the regular set of changes. I cannot confirm this bug > > was fixed. > > As far as I know this vulnerability was not yet reported to > > the public. > > > > 'ken'
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.